sudhirpandey/oc command lines

## oc command lines
#expose console from 443
oc create route reencrypt master --service kubernetes --port 443 -n default

#nested loops , tags count in IS
oc get is --template='{{range $i, $is:=.items}}{{ $total :=0 }}{{ range $index, $element :=$is.status.tags }}{{if eq $element.tag "latest"}}{{$is.metadata.name}}{{"\t"}}{{ $index }}{{end}}{{end}}{{"\n"}}{{end}}'

get complex labels
oc get nodes --template='{{ with $i := index .items 0 }}{{ index $i.metadata.labels "failure-domain.beta.kubernetes.io/region" }}{{ end }}'

#patchin resource limits
oc get limits/resource-limits -o jsonpath='{.spec.limits[0].max.memory}'
oc patch limits/resource-limits --type=json --patch="[{'op':'replace','path':'/spec/limits/0/max/memory', 'value':'1Gi'}]"

#onliner to rollout the deployments in case if resourc limit change
oc get projects -o jsonpath="{range .items[*]} {.metadata.name}{'\n'}{end}" |xargs -i oc get dc -o jsonpath="{range .items[*]} {.metadata.name}+{.metadata.namespace}{'\n'}{end}" -n {}|xargs -i bash -c 'if [[ "${1#*+}" =~ '^sandbox.*' ]]; then oc scale dc "${1%+*}" --replicas=0 -n "${1#*+}" && sleep 10 && oc scale dc "${1%+*}" --replicas=1 -n "${1#*+}"; fi' - '{}'

#get svc and types
oc get service --all-namespaces -o=custom-columns=NAMESPACE:.metadata.namespace,NAME:.metadata.name,TYPE:.spec.type

#to get all the tags of is
oc get is name -n namespace --template='{{ range $index, $element :=.status.tags }}{{ $element.tag }}{{"\n"}}{{end}}'

#To get all the projects
`oc get projects -o name |xargs -i oc get {} --template '{{ .metadata.name }}{{"\n"}}`

oc get projects -o jsonpath="{range .items[*]} {.metadata.name}{'\n'}{end}"

oc get projects -o jsonpath="{.items[*].metadata.name}"


#To get all the routes
`oc get projects -o name |xargs -i oc get {} --template '{{ .metadata.name }}{{"\n"}}'|xargs -i oc get routes --template '{{range .items}}{{ .spec.host}}{{"\n"}}{{end}}' -n {}`

#Get firts message from the status
oc get dc service-name --template='{{ range $index, $element :=.status.conditions }}{{ if eq $index 0 }}{{ $element.message }} {{end}}{{end}}'


#Get the outputs from desired keys
oc get svc svcname -o json |jq '.metadata.annotations."prometheus.io/probe"'
oc get svc svcname --template='{{ index .metadata.annotations "prometheus.io/probe" }}


#Patch all the services to have prometheus tags
PATCH='{"metadata":{"labels":{"team":"xxxx"}}}'
oc get svc | awk '{print $1}'| tail -n +2 |xargs -i oc patch svc {} -p "$PATCH"
PATCH='{"metadata":{"annotations":{"prometheus.io/probe":"true"}}}'
repeat

#capablity check
oc adm policy who-can create buildConfigs
oc adm policy who-can create build
oc adm policy who-can update build
oc adm policy who-can update buildConfigs
oc adm policy who-can create builds
oc policy who-can get imagestreams/layers -n

#Peak into elastic search openshift logging
oc get secret logging-fluentd --template='{{.data.ca}}' | base64 -d > ca
oc get secret logging-fluentd --template='{{.data.key}}' | base64 -d > key
oc get secret logging-fluentd --template='{{.data.cert}}' | base64 -d > cert
oc port-forward <es pod name> 9200:9200
curl -s --cacert ca --key key --cert cert https://localhost:9200/_cluster/health | python -mjson.tool


#Test port is open in container without network tools
cat < /dev/tcp/127.0.0.1/22

#haproxy debug the request errors
echo "show errors"|socat unix-connect:/var/lib/haproxy/run/haproxy.sock stdio

#see contianer interface with host
cat /sys/class/net/eth0/iflink

#temporarily allow traffic in cluster
iptables -I OS_FIREWALL_ALLOW -p udp -m state --state NEW -m udp --dport <port> -j ACCEPT
iptables -I OS_FIREWALL_ALLOW -p udp -m state --state NEW -m tcp --dport <port> -j ACCEPT

#Api usage with token

curl -k -H "Authorization: Bearer <token>" https://cluster.xxx.xxx.xxx/api/v1/namespaces/monitoring/configmaps


#hacking dc to do sed and launch entry point

- args:
        - -c
        - /bin/sed -i '/^command=clair/ s/$/ -insecure-tls/' /supervisord.conf &&
          /boot.sh
        command:
        - /bin/sh

## tcpdum in the pod without tcpmdump
Provided that tcpdump is already installed on node on which the target container is running

1. Get the docker container ID (oc get pod foo -o yaml | grep containerID)

2. Get the PID of the running container on the node where it runs (docker inspect feedfacedeadbeef | grep Pid:)

3. Enter the desired namespaces of said process (nsenter --target 12345 --net /bin/bash) and run binaries (like tcpdump) that live on the host
	#expose console from 443
	oc create route reencrypt master --service kubernetes --port 443 -n default

	#nested loops , tags count in IS
	oc get is --template='{{range $i, $is:=.items}}{{ $total :=0 }}{{ range $index, $element :=$is.status.tags }}{{if eq $element.tag "latest"}}{{$is.metadata.name}}{{"\t"}}{{ $index }}{{end}}{{end}}{{"\n"}}{{end}}'

	get complex labels
	oc get nodes --template='{{ with $i := index .items 0 }}{{ index $i.metadata.labels "failure-domain.beta.kubernetes.io/region" }}{{ end }}'

	#patchin resource limits
	oc get limits/resource-limits -o jsonpath='{.spec.limits[0].max.memory}'
	oc patch limits/resource-limits --type=json --patch="[{'op':'replace','path':'/spec/limits/0/max/memory', 'value':'1Gi'}]"

	#onliner to rollout the deployments in case if resourc limit change
	oc get projects -o jsonpath="{range .items[]} {.metadata.name}{'\n'}{end}" \|xargs -i oc get dc -o jsonpath="{range .items[]} {.metadata.name}+{.metadata.namespace}{'\n'}{end}" -n {}\|xargs -i bash -c 'if [[ "${1#+}" =~ '^sandbox.' ]]; then oc scale dc "${1%+}" --replicas=0 -n "${1#+}" && sleep 10 && oc scale dc "${1%+}" --replicas=1 -n "${1#+}"; fi' - '{}'

	#get svc and types
	oc get service --all-namespaces -o=custom-columns=NAMESPACE:.metadata.namespace,NAME:.metadata.name,TYPE:.spec.type

	#to get all the tags of is
	oc get is name -n namespace --template='{{ range $index, $element :=.status.tags }}{{ $element.tag }}{{"\n"}}{{end}}'

	#To get all the projects
	`oc get projects -o name \|xargs -i oc get {} --template '{{ .metadata.name }}{{"\n"}}`

	oc get projects -o jsonpath="{range .items[*]} {.metadata.name}{'\n'}{end}"

	oc get projects -o jsonpath="{.items[*].metadata.name}"


	#To get all the routes
	`oc get projects -o name \|xargs -i oc get {} --template '{{ .metadata.name }}{{"\n"}}'\|xargs -i oc get routes --template '{{range .items}}{{ .spec.host}}{{"\n"}}{{end}}' -n {}`

	#Get firts message from the status
	oc get dc service-name --template='{{ range $index, $element :=.status.conditions }}{{ if eq $index 0 }}{{ $element.message }} {{end}}{{end}}'


	#Get the outputs from desired keys
	oc get svc svcname -o json \|jq '.metadata.annotations."prometheus.io/probe"'
	oc get svc svcname --template='{{ index .metadata.annotations "prometheus.io/probe" }}


	#Patch all the services to have prometheus tags
	PATCH='{"metadata":{"labels":{"team":"xxxx"}}}'
	oc get svc \| awk '{print $1}'\| tail -n +2 \|xargs -i oc patch svc {} -p "$PATCH"
	PATCH='{"metadata":{"annotations":{"prometheus.io/probe":"true"}}}'
	repeat

	#capablity check
	oc adm policy who-can create buildConfigs
	oc adm policy who-can create build
	oc adm policy who-can update build
	oc adm policy who-can update buildConfigs
	oc adm policy who-can create builds
	oc policy who-can get imagestreams/layers -n

	#Peak into elastic search openshift logging
	oc get secret logging-fluentd --template='{{.data.ca}}' \| base64 -d > ca
	oc get secret logging-fluentd --template='{{.data.key}}' \| base64 -d > key
	oc get secret logging-fluentd --template='{{.data.cert}}' \| base64 -d > cert
	oc port-forward <es pod name> 9200:9200
	curl -s --cacert ca --key key --cert cert https://localhost:9200/_cluster/health \| python -mjson.tool


	#Test port is open in container without network tools
	cat < /dev/tcp/127.0.0.1/22

	#haproxy debug the request errors
	echo "show errors"\|socat unix-connect:/var/lib/haproxy/run/haproxy.sock stdio

	#see contianer interface with host
	cat /sys/class/net/eth0/iflink

	#temporarily allow traffic in cluster
	iptables -I OS_FIREWALL_ALLOW -p udp -m state --state NEW -m udp --dport <port> -j ACCEPT
	iptables -I OS_FIREWALL_ALLOW -p udp -m state --state NEW -m tcp --dport <port> -j ACCEPT

	#Api usage with token

	curl -k -H "Authorization: Bearer <token>" https://cluster.xxx.xxx.xxx/api/v1/namespaces/monitoring/configmaps


	#hacking dc to do sed and launch entry point

	- args:
	- -c
	- /bin/sed -i '/^command=clair/ s/$/ -insecure-tls/' /supervisord.conf &&
	/boot.sh
	command:
	- /bin/sh

	## tcpdum in the pod without tcpmdump
	Provided that tcpdump is already installed on node on which the target container is running

	1. Get the docker container ID (oc get pod foo -o yaml \| grep containerID)

	2. Get the PID of the running container on the node where it runs (docker inspect feedfacedeadbeef \| grep Pid:)

	3. Enter the desired namespaces of said process (nsenter --target 12345 --net /bin/bash) and run binaries (like tcpdump) that live on the host